Early Warning: Sections of Internet under attack, including DNS

We are seeing various incidents on the Net that might be related. If so, there could be major disruptions and a lot of hijacked sites.

Most of what I see involves corrupting the DNS servers. The Domain Name servers in NZ were hijacked today, misdirecting traffic to sites such as MSN, HSBC, and Sony off to fake sites. Brazilian bank sites were faked earlier. We are seeing various parts of the net go missing for a while.

Earthlink.net is (at least, it was when I started typing this) unreachable from much of the rest of the Net. This could be from some failure, a routing screw-up, or part of some attack.

There is a patch just coming out for Firefox 3 which claims to fix various vulnerabilities with cross site scripting and hijacking; includes yet another involving Flash. This week included MS updates for some really nast exploits, too.

Finally, a proof of concept hijack of the Intel chip cache poisoning issue I discussed recently on DU. Unfortunately, the implementation of this hijack is easier on Linux than on Windows; don't know about issues with other Unix variantes yet.

"So, be careful out there."

http://hubble.cs.washington.edu/

Earthlink is having trouble...

http://www.ajc.com/business/content/business/stories/2009/04/22/earthlink_web_outage.html

Or in other words, is SSL vulnerable to man-in-the-middle attacks? I have never been able to figure out why it wouldn't be, but I'm not a security guru.

or they put up a look-alike site and you enter your username and password.

The later is why many banking sites show an image on a second login page.

Two of the incidents reported today appear to have been net-wide DNS hijacking, the Brazilian banks and the NZ ones. These types of attacks are relatively easy to detect when they begin, are remedied within a few hours, and raise security against anyone using the acquired account numbers.

Often these network-wide DNS exploits are used to install other malware (trojans, keyloggers)on you local system (typically using MS Windows of some type). Some of this malware hijacks the DNS on your local machine to misdirect certain domains to fake versions; others change your settings so you use their DNS servers instead of approved ones. Or maybe they send all your web traffic through a proxy server (which serves as a man in the middle).

Centralized DNS hijacks are sometimes used in denial of service attacks, particularly if combined with putting a few "loops" in the routing tables.

BTW earthlink.net is claiming that a power failure in Pasadena (?) has caused their problems!Seems unlikely they would be overly concentrated in a single location. Apparently their phones are down, too. Probably using their VoIP options. (Another warning to everyone.)

Here is an example of how I might try to steal banking info. First, I send you one of those emails alerting you to a problem with your account -- for example at BankofAmerica.com -- which you rightfully believe to be maleware. You are too smart to click on the link in the email, but think it prudent to determine if there really is a problem; so, you use your web browser to go directly to https://www.bankofamerica.com where you log in, use the sitekey picture, etc. for security, confirm that you were right about it being spam/malware, delete the email, and feel secure.

Wrong! I now have your banking info. How? You were reading your email in a browser window because so much email includes HTML, SWF, PDF, and such. Hidden in the multipart email was a Flash with ActionScript (maybe embedded in a PDF and encoded). This Flash image/application display a _transparent_ image that overlayed your browser windows and monitored you keystrokes and mouse clicks. When you brought up the "separate" browser window, it was similarly compromised because it was just another thread/window within the same application/process. (It is slightly more effort to compromise you system and spy on you until you do something interesting.)

So here I am with a Flash-based keylogger running entirely within your browser environment. I also have everything needed to negate sitekey and its friends. While this might be Outlook/IE on MS Windows, just a few enhancements have it working on many Linux/Firefox systems and on Mac. Disabling Flash makes it a little more difficult. Other ways to attack include hijacking well-known web sites or poisoning sites that serve ads to other sites (even DU) or buring XML inside a MS Word document in a multipart/attachment.

But it could have been much worse. My hijack only sent your banking info to my "associates" in the Ukraine. I could have downloaded some hardcore kiddie porn to your PC using your name and credit card info while I was there. Try proving that you were set up; after all, you were home and using your computer at the time!

One more warning. It seems a recent MS security update reinstalled a version of Flash player which does not include recent patches made by Adobe (feeble as they are).

Paranoid?! Me?

I've had my computer compromised, so I am a believer.

The crazy thing though is the same stuff is being used over and over again. I'm amazed we haven't put together some kind of comprehensive sandbox for Javascript, Flash, Java etc to run in, and then have add on programs, which have to be specified on a per site basis. So instead of having facebook give you that file upload applet which you authorize to read your drive, have it prompt you to download a "web program" which requires authorization for each site that requests its use. The same thing with Flash. Why in the HELL would I want to let a flash movie access my microphone and camera? The capability shouldn't even be there. To use my microphone and camera on the web, I should specifically run ONE program that does just what's needed, which a web page can pass URL info to, and is specifically bound to a particular site for each use. My computer shouldn't be running different flash programs from strangers with degrees of access to that API. The security should be less fine grained: one big sandbox, nothing gets out.

The issue is that these capabilities should be there, but not for strangers. I DO trust Facebook, Google, Amazon etc. with a lot of things. But many sites I visit I don't trust one inch. ALL an untrusted site should be allowed to do is render things in the little square inside my browser, period.

I agree with you about putting severe limits on what web sites are allowed to do, but my limits are extremely restrictive. Very few "trusted" sites should be allowed to do anything other than render things.

That is how HTML started out: no scripts, no java, no embedding except simple images, only simple menus and linking, and few problems with security. Then people get the urge to add just a couple of features to let them do something "neat" and suddenly everyone is slip sliding away. I still resist all this and use lynx or w3m for most of my browsing. Sites like DU work really well; others that require Flash, Java, JavaScript, ActiveX, ... don't work at all.

The sites you trust have each been used recently to mount major attacks; any site that allows users to share content with other users become likely conduits for cross sight scripting exploits.

Google has its own dark side. Google-analytics and Googleads allows tracking of much of the internet traffic by placing a "bug" on sites like DU, implemented as a link to a piece of JavaScript at Google which can modify the content of that script at any time -- or maybe I have subverted your browser to cache and use my fake version. The Google search algorithms are currently being poisoned by the hackers such that infected sites are often in the top five search results; if you try to get lucky, you might get a bad infection.

Google is looking at everything accessible in almost any format. Gmail, pictures, searches, site visits, etc. are tagged and combined. They have all sorts of research projects that give me pause. One project enabled the mike on your machine to hear what you are listening to, identify background music or television in realtime, and then use that to select which ads to show you.

You also need to remember who owns many of the popular sites. MySpace is owned by News Corp.!

Whis I could buy you a Brewski.

Google Adsense spoofed
By Dan Goodin in San Francisco • Get more from this author
Posted in Crime, 22nd April 2009 00:32 GMT

One of Brazil's biggest banks has suffered an attack that redirected its customers to fraudulent websites that attempted to steal passwords and install malware, according to an unconfirmed report.

According to this Google translation of an article penned in Portuguese, the redirection of Bradesco was the result of what's known as a cache poisoning attack on Brazilian internet service provider NET Virtua.

DNS cache poisoning attacks exploit weaknesses in the internet's domain name system. ISPs that haven't patched their systems against the vulnerabilities are susceptible to attacks that replace the legitimate IP address of a given website with a fraudulent number. End users who rely on the lookup service are then taken to malicious websites even though they typed the correct domain name into their browser ... http://www.theregister.co.uk/2009/04/22/bandesco_cache_poisoning_attack/

Thought it was just our network, but maybe not.

https://www.opendns.com/

it has ZERO overhead on my pc's and its FREE

It is a more-reliable DNS server than many on the net and has avoided recent problems with DNS resolving. But with its recent efforts against Conflicker / Downadup, I expect OpenDNS to be attacked by the botnet to prevent them from responding to requests.

Yesterday, Network Solutions had DNS problems with domains that NS hosts. The problem took NS an hour or two to fully resolve (PUN), but those sites were unreachable to OpenDNS users for another five or six hours.

There is apparently a way to use the OpenDNS shortcuts feature to redirect your traffic by "redefining" what a URL/URI should mean. We have recently noticed some discussions at hacker sites about this, but haven't followed up yet.

This week there is an experts meeting about how to fix the problems with DNS and with the backbone protocols. Unfortunately, when you open a can of worms you then need a bigger can to hold them. This makes a perfect time to hijack the DNS and OpenDNS in particular; BTW the Black Hats are also meeting this week.

If your machine itself is compromised by some malware or if your router/firewall has been, then you still have trouble.

Take precautions, but don't be over-confident.

what the hell is going on

After a while you have sorted out which people you believe, you have become aware of things unknown to most of your friends, mostly things that alarm you. Your friends and family have gfrown tired of hearing about these things, and you find little satisfaction when your predictions are confirmed, for example predicting in Jan 2001 the date of the war in Iraq and being off by less than a month.

We still have dangerous Direct Record Electronic voting machines in many places and now there are vendors and/or others pushing hard for Internet Voting. This is happening in many states. The ploy is that it will allow deployed military to vote, but most of us in election integrity believe if they get their foot in the door this way they will soon push for all voting to be Internet based. And once these vendors smell money, look out!

The ploy using military voters is similar to the ploy used to get Direct Record Electronic machines in by claiming disabled voters would be helped. What legislator is going to deny a vote to a soldier or disabled person? Yet by allowing these scammy voting methods, they are doing just that because a vote cast and not counted accurately is NO vote at all.

One computer scientist told me Internet Voting would be all the problems with unverifiable DREs many, MANY times over. "DREs on steroids."

Beware, beware, beware.

under guise of investing money in the tech sector.

...everywhere.

Support the election integrity organization of your choice as well and make sure that "no internet voting" is one of their priorities.

my mac (unix based), is working like a charm, and no I am not using firefox on it... but safari

And I did not find any problems with IE on the ancient windows rig.

If you were wondering...

Windoze....

It hasn't been true in the 15 years I've been using Linux and the other Unix variants.

How about a link for that info that doesn't include a microsoft-owned website.

Smells like bullshit to me.

Microsoft invested LOTS of money to make their OS, Office and IE more secure. Of course, it is far from being 100% secure but it takes much more work these days to find exploits for Microsoft stuff. That is why the malware writers increasingly are targeting 3rd party Windows applications, especially Adobe PDF and Flash. PDF is one of the major malware vectors these days, beside MS Office. These are primarily used for targeted attacks (espionage). That means, malware is optimized until no current scanner detects it - and only then deployed.

Linux, on the other hand, has the advantage that there are so many distributions so it is more problematic to find an exploit that is working across several distributions. But the main factor that is "protecting" Linux right now is it's low number of users, compared to the MS crap. Malware writing is big business these days, they only target things which are lucrative. Only because nobody with enough motivation (=money) is looking for exploits that doesn't mean there aren't any for Linux. Also, the current Linux user base is more educated than the average Windows user. Though I think, with proper social engineering and non-obvious techniques (such as DNS poisoning) many Linux users would fall for malware aswell.

MS was mostly doing remedial work fixing buffer overflows and such. At the same time, they have continued to push even greater levels of linking, embedding, overloading, etc. resulting in designed-in flaws.

Too often MS seems naive and lacking quality control and testing. Excel still has bugs in its recalc engine and in the accuracy of a lot of its functions. For example, a year or two back the Excel random number generator sometimes returned values outside the 0 to 1 range it should have.

But we have no good substitute for flash it needs to be scrapped

Norton av is the most common target for stealth since it is the most popular

Currently i recc vipre and malwarebytes for windows users
Possibly kapersky also

Remember the lol when the cia released a redacted acrobat doc that got unredacted

It's a good idea to use some sort of execution control program that simply reports every new/unknown executable that is going to get launched. Of course this requires the user to understand the internal working of setups and self-updating applications.
Also, Sandboxie is a useful tool. Place the browser in a sandbox and shut down the sandbox regularly so malware cannot stay active long in your system.

Kaspersky was top for many years but the malware writers target all AV major AV programs to make their "products" fully undetectable before releasing them.
Vipre/Sunbelt still has a looooooong way to go until it is really comparable to the major players. At least 1 more year of development.
Malwarebytes has the advantage that the malware writers are not taking it seriously or is simply not on their radar. But when MBAM keeps increasing it's popularity, it will be on the target list soon.

The british gov back then released stuff to the press about the iraq war in Microsoft Office format and forgot to cleanup the docs. They contained uncensored versions of the text as Word keeps old revisions of the text in the file. Very funny!

This is an Intel problem that completely negates all the work on security through virtualization and secure and authenticated hardware. Just compromise a single VM using any Op Sys a single time lets you hijack the lowest levels of the hardware controlling security.

While there have been discussions about this problem since 2008, here is a link to where I saw about the PofC code being released and that the Linux exploit was easier than Windows. I suspect that exploits embedded in trusted hardware are already widespread. There have been several exploits of VMware and similar VM products in the past 6 months, most letting a compromise of one virtual machine be used to compromise every VM on the machine.

Microsoft and Adobe are responsible for many of the security problems and seem to be consistently clueless and deserve a grade of F-. While Linux is somewhat better, it deserves maybe a C-. The Mac probably about the same. OpenVMS deserves a B, possibly an A- with the enhanced security option (B2 level).




http://www.theregister.co.uk/2009/03/19/intel_chip_vuln/

Adobe's problem with security has nothing to do with the operating system.

And when the first paragraph of your linked "proof" consists of this:

"Security researchers are due to publish research on how an Intel chip flaw might be used for potentially malign purposes on Thursday."


"Might be used for potentially....."

If, as you say there is a back door already embedded in the hardware is a different matter altogether. It's not a bug at that point, it's a feature.

When I worked at IBM there were rumblings about back doors in the hardware to allow for govt snooping........

And all this is kind of academic, anyhow. Humans are the easiest software to exploit and hack.

It's where the money is.

The Register article changed after I linked to it.

The discussions on various techie sites like slashdot.com have all been digging into this, so make sure you read some of the comments and the linked to articles explaining the exploit and independently review the finding:

http://www.networkworld.com/community/node/41180?t51hb

I earlier posted that this problem is really on Intel's doorstep and is not OS dependent. The impact of this problem is that it completely negates the extensive efforts by many working with Intel to use virtualization to provide better hardware security. With this exploit, you only need to gain root privs on Linux in a single VM once. After that, you can install your clever exploit into the hardware and execute at a security level unreachable by operating systems and scanners.

While this particular exploit is a bit easier on Linux, it would be easy on Windows or OS/X.

And all that testing and debugging was a real chose for me, who knows nada about computers.

That, plus the problem with the Flash cookies makes me wonder if some internet products are deliberately being designed to either 1) screw up the internet or 2) allow bad folks to take advantage of it or 3) both.

Or maybe everyone works on the Microsoft model now.

The BSD OSes (including FreeBSD and Mac OS X) proved to be the systems least likely to be successfully cracked.

http://www.osnews.com/story/6098

jiggle the locks.

But then again...I LIKE sitting on my ass and reading logs.....

:rofl:

I agree that BSD systems are among some of the more-secure Unix like systems. We use them for some of our net-facing machines.

But I would put OpenVMS well above any other widely-used OS. Using the standard configuration without the security enhancements gets you to level C2.

:kick: